Thousands of confidential UN documents linked to gender equality push leaked online
UN Women documents found on unprotected database could put workers and victims at risk
A database believed to belong to the United Nations Trust Fund to End Violence against Women has been discovered unsecured online, containing financial reports, bank account information, staff details, victim testimonies and more.
The database, containing a total 228 GB of information, was discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor.
It lacked any password protection, with the 115,141 files displayed unencrypted and accessible to anyone with an internet connection.
Victim and worker information exposed
While currently unconfirmed, the database contained information linked it to the UN Women and UN Trust Fund to End Violence against Women, including letters and documents addressed to the UN and stamped with UN logos, with specific reference to UN Women.
Amongst the information within the database, Fowler identified scanned passport documents and ID cards, alongside detailed information on staff roles including names, job roles, salary information and tax data.
“There were also documents labeled as “victim success stories” or testimonies,” Fowler wrote in his report for vpnMentor. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.”
It is not known how long the database has been exposed for, whether the database is managed by the UN Women organization or a third party, or whether the database has been accessed by anyone outside of the organization.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Fowler explains several hypothetical situations in which the data could be misused, such as convincing spear phishing attacks against exposed email addresses using manipulated documents. Theoretically, a threat actor could also use the documents to gain a high-level understanding of the organization’s organizational and financial layout.
The UN Women organization has a scam alert posted on its website which is undated, but the page dates back to at least July 2022, with an update occurring in July 2024 adding a guide to using the Quantum procurement verification portal. Fowler alerted the UN Information Security team to the unprotected database, and received a response stating, “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.”
More from TechRadar Pro
- Take a look at the best identity theft protection tools around
- The United Nations ditches Big Tech in a bid for security
- These are the best parental control apps
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.